Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
492
Views
5
Helpful
2
Replies

ASA IOS version 9.4 Destination NAT, assistance required

soumbis12
Level 1
Level 1

‎07-27-2015 03:34 AM - edited ‎03-11-2019 11:20 PM

Hi All,

 

Presently, we are in a phase to migrate the whole Security devices from Juniper to ASA. the ASA version running on the device is: 9.4.

Below is the nat configuration of the Juniper box.
 

static {

    rule-set All-ATMs-to-Radia {

        from zone VPN-VSAT-Branches;

        rule All-ATMs-to-Radia {

            match {

                destination-address 10.34.185.70/32;

            }

            then {

                static-nat {

                    prefix {

                        10.34.196.47/32;

                    }

                }

            }

        }

    }

    rule-set static-801-to-196 {

        from interface reth0.801;

        rule static-801-to-196 {

            match {

                destination-address 10.34.185.70/32;

            }

            then {

                static-nat {

                    prefix {

                        10.34.196.47/32;

                    }

                }

            }

        }

    }

    rule-set static-412-to-196 {

        from interface reth0.412;

        rule static-412-to-196 {

            match {

                destination-address 10.34.185.70/32;

            }

            then {

                static-nat {

                    prefix {

                        10.34.196.47/32;

                    }

                }

            }

        }

    }

    rule-set static-511-to-196 {

        from interface reth0.511;

        rule static-511-to-196 {

            match {

                destination-address 10.34.185.70/32;

            }

            then {

                static-nat {

                    prefix {

                        10.34.196.47/32;

                    }

                }

            }

        }

    }

}

 

Now, Zone mapping between Juniper and ASA is :

Zone: VPN-VSAT-Branches (Juniper) -- > Interface: VPN-Branches (CISCO)

Interface reth0.412 (Juniper) -- > interface TPX-VPN (CISCO)

Interface reth0.511 (Juniper)  --> Interface OUTSIDE (CISCO)

Real Destination IP: 10.34.185.70/32 ( Belongs to VLAN 513)

Mapped Destination IP: 10.34.196.47/32 (Belongs to VLAN 512)

 

Need help to get the configuration systax for ASA 9.4 so that we can achieved the same in ASA.

Warm Regards,

Soumik

 

 

Labels:
0 Helpful
2 Replies 2

Dinesh Moudgil
Cisco Employee
Cisco Employee

‎07-27-2015 03:59 AM

Hi Soumik,

Here is a tool to convert Juniper ScreenOS configurations to Cisco ASA configs:-
https://fwmig.cisco.com/

HTH

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

soumbis12
Level 1
Level 1
In response to Dinesh Moudgil

‎07-27-2015 06:14 AM

Hi Dinesh, 

Thanks for the response. I have converted the config using tool only.But for this NAT rule , It is converted wrongly using the tool.

 

it is converted as 

nat (any,any) source static any any destination static 10.34.185.70 10.34.185.70

As per the Juniper configuration, this is not the case against the Natting

 

Hence please need the help to achieve the exact NAT config of Juniper .
Thanks in advance.

Rgrds,
Soumik

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card